More secure root wrapper

Nova needs root access for a number of actions, and currently does so through sudo. Each distribution needs to provide its own sudoers file in packaging, and sudoers offers suboptimal filtering of allowed actions, potentially providing a privilege escalation path.

This spec continues the work started in Diablo (refactoring the privilege escalation mechanism) by proposing a more secure root wrapper that allows: